UK corporates rushing to roll out ebusiness infrastructures came under fire from industry experts last week.
Internet security tester NTA Monitor told Network News that essential security configurations are commonly sacrificed to speed up ecommerce deployments.
NTA blamed the problem on high-level directors who put such unrealistically tight timeframes on ebusiness projects, that IT managers are unable to deploy adequate supporting security measures.
Deri Jones, analyst at NTA Monitor, said that his monitoring of ebusinesses was finding more and more built purely on a Microsoft platform, which was often run without any relevant configurations.
"You can get an ebusiness site up and running very quickly by using Microsoft straight out of the box, but by doing this you are neglecting security configurations," he said.
NTA's latest scans of UK ebusiness sites found that badly configured Microsoft Active Server Pages - one of the most popular ebusiness platforms - commonly creates vulnerabilities.
Jones explained that ASPs run without configuration are "almost too functional for their own good". He said that poor security on enterprise websites was often down to them being poorly configured by administrators.
Jones said that if sites using ASPs are left with default settings installed, the debugging mode will be available which is designed to show error messages intended for developers. By searching the internet using the wording for these error messages, it is possible to find affected sites and view the source code for the listed pages, which should never be publicly visible.
"The visible source code could hold back-end database passwords," warned Jones. "We have identified dozens of UK sites leaking information in this way, with regular search engines providing pointers to the actual code behind the pages."
See also:
All Hacking
del.icio.us
Digg this
reddit!
